Categories

hijack

Researchers at Norway-based security firm Promon have demonstrated how thieves with the necessary hacking skills can track and steal Tesla vehicles through the carmaker’s Android application.

In a video released this week, experts showed how they could obtain the targeted user’s credentials and leverage the information to track the vehicle and drive it away. There are several conditions that need to be met for this attack and the victim must be tricked into installing a malicious app on their mobile phone, but the researchers believe their scenario is plausible.

According to Promon, the Tesla mobile app uses HTTP requests and an OAuth token to communicate with the Tesla server. The token is valid for 90 days and it allows users to authenticate without having to enter their username and password every time they launch the app.

The problem is that this token is stored in cleartext in the app’s sandbox folder, allowing a remote attacker with access to the device to steal the data and use it to send specially crafted requests to the server. Once they obtain this token, criminals can use it to locate the car and open its doors. In order to enable the keyless driving feature and actually steal the vehicle, they need to obtain the victim’s username and password as well.

Experts believe this can be achieved by tricking the user into installing a piece of malware that modifies the Tesla app and steals the username and password when the victim enters them in the app. According to researchers, the legitimate Tesla app can be modified using one of the many vulnerabilities affecting Android, such as the issue known as TowelRoot. The TowelRoot exploit, which allows attackers to elevate privileges to root, has been used by an Android malware dubbed Godless.

In order to get the victim to install the malicious app, the attacker can use various methods, including free Wi-Fi hotspots.

“When the Tesla owner connects to the Wi-Fi hotspot and visits a web page, he is redirected to a captive portal that displays an advertisement targeting Tesla owners. In [our] example, an app was advertised that offers the Tesla owner a free meal at the nearby restaurant. When the Tesla owner then clicks on the advertisement, he is redirected to the Google Play store where the malicious app is displayed,” experts said.

While there are multiple conditions that need to be met for the attack to work, researchers pointed out that many devices run vulnerable versions of Android and users are often tricked into installing malware onto their devices.

Promon has not disclosed any technical details about the attack method. The company says it has been working with Tesla on addressing the issues. It’s worth noting that Tesla has a bug bounty program with a maximum payout of $ 10,000 for each flaw found in its websites, mobile apps and vehicle hardware.

This is not the first time researchers have demonstrated that Tesla cars can be hacked remotely. A few weeks ago, experts at China-based tech company Tencent showed that they could remotely control an unmodified Tesla Model S while it was parked or on the move. Tesla quickly patched the vulnerabilities found by Tencent, but downplayed their severity, claiming that the attack was not fully remote, as suggested in a video released by experts.

SecurityWeek has reached out to Tesla for comment and will update this article if the company responds.

A researcher has disclosed a couple of serious Slack vulnerabilities that could have been exploited to obtain sensitive information and take over user accounts. The vendor patched the flaws and awarded the expert a total of $ 9,000.

According to researcher David Vieira-Kurz, Slack was affected by two access control bypass flaws that could have lead to some serious damage. The security holes were reported and fixed in April.

The expert first identified a misconfiguration issue related to the use of a module that allows administrators to obtain server status information, including which IP accessed which resource.

While initially this did not seem like a high-risk problem, Vieira-Kurz soon discovered that even unauthenticated users could request the server status, potentially giving them access to sensitive information associated with any Slack website. Slack awarded the researcher $ 2,000 for reporting this bug.

The second vulnerability identified by Vieira-Kurz was far more serious. The issue is related to a backend administration panel that allows Slack employees to obtain information on users and workspaces based on an ID.

The researcher determined that an attacker could use this to reset the password of any user by guessing their ID. The white hat hacker earned $ 7,000 for this report, which still hasn’t been publicly disclosed by Slack on its HackerOne page.

Through its bug bounty program, Slack offers researchers a minimum of $ 50 for low severity flaws and at least $ 1,500 for critical issues. Since the launch of its bug bounty program, the company resolved more than 500 reports and paid out a total of $ 180,000.

Slack is a highly useful team collaboration tool that allows users to create bots that help them automate certain tasks, including project management bots and various types of reminder bots. However, experts warned in April that many developers unwittingly included authentication tokens for Slack accounts in projects shared on GitHub.

A GitHub search revealed hundreds of tokens that could have been leveraged to access potentially sensitive information, including database credentials, logins for internal services and private messages.

Here’s an overview of some of last week’s most interesting news, reviews and articles:

Repercussions of the massive Yahoo breachYahoo has announced on Thursday that they have suffered a breach and that account information of at least half a billion users has been exfiltrated from the company’s network in late 2014.

Review: BoxcryptorStoring your data in the cloud comes with both positive and negative aspects. Boxcryptor is a solution that helps with this by encrypting your data on your device before it gets synchronized to the cloud storage provider of your choice.

How ransomware is impacting companies in six major industriesBitSight analyzed the security ratings of nearly 20,000 companies to identify common forms of ransomware and to determine which industries (amongst Finance, Healthcare, Education, Energy/Utilities, Retail, and Government) are most likely to experience attacks.

Why DNS shouldn’t be used for data transportMalicious DNS tunnelling is a big problem in cybersecurity.

Basic file deletion increases exposure to security risksThe use of improper data removal methods and the poor enforcement of data retention policies have created the perfect storm for confidential, oftentimes sensitive data to be lost or stolen.

US elections and the hacking of e-voting machinesAs the day when US citizens cast a vote for their preferred presidential nominee quickly approaches, the issue of whether the actual voting process can be tampered with is a topic that interests many.

Malicious torrents management tool uncoveredResearchers have uncovered Raum, a tool that is used by Eastern European organized crime group “Black Team” to deliver malware to users through malicious torrents.

Xiaomi smartphones come equipped with backdoorIf you’re a computer science student with an interest in cybersecurity like Thijs Broenink, you can reverse-engineer pre-loaded apps and discover for yourself what they do.

Chinese researchers hijack Tesla cars from afarTesla car owners are urged to update their car’s firmware to the latest version available, as it fixes security vulnerabilities that can be exploited remotely to take control of the car’s brakes and other, less critical components.

We have to start thinking about cybersecurity in spaceWith all the difficulties we’ve been having with securing computer systems on Earth, the cybersecurity of space-related technology is surely the last thing on security experts’ minds – but it shouldn’t be.

HDDCryptor ransomware uses open source tools to thoroughly own systemsHDDCryptor (aka Mamba) is a particularly destructive piece of ransomware that encrypts files in mounted drives and network shares, locks the computers’ hard disk, and overwrites their boot disk MBR.

US gets federal guidelines for safe deployment of self-driving carsThe public is welcome to comment on the new policy, and the Department of Transportation intends to update it annually.

880,000 users exposed in MoDaCo data breachSubscribers of UK-based MoDaCo, a forum specialising in smartphone news and reviews, have been unpleasantly surprised by notifications that the site and their account have been compromised.

UK: Financial fraud soarsMore than 1 million incidents of financial fraud – payment card, remote banking and cheque fraud – occurred in the first six months of 2016, according to official figures released by Financial Fraud Action UK. To compare, in the first six months of 2015 there were a little over 660,000 cases.

Should you trust your security software?Recently, Google’s Project Zero security research team uncovered a bunch of critical vulnerabilities in two dozen enterprise and consumer antivirus security products from Symantec and its Norton brand.

BENIGNCERTAIN-like flaw affects various Cisco networking devicesThe leaking of BENIGNCERTAIN, an NSA exploit targeting a vulnerability in legacy Cisco PIX firewalls that allows attackers to eavesdrop on VPN traffic, has spurred Cisco to search for similar flaws in other products – and they found one.

Tesla car owners are urged to update their car’s firmware to the latest version available, as it fixes security vulnerabilities that can be exploited remotely to take control of the car’s brakes and other, less critical components.

The vulnerabilities were discovered by researchers from Tencent’s Keen Security Lab, and responsibly disclosed to Tesla. The company’s Product Security Team confirmed them, and implemented fixes in the latest version of the firmware.

Tencent’s researchers understandably didn’t reveal details about the flaws, but have provided a video demonstration of the attacks:

They have managed to remotely open various Tesla cars’ sunroof, turn on the blinkers, move the car seat, and open doors, all while the cars were in parking mode. But they have also managed to control windshield wipers, fold the side rearview mirrors, open the trunk, and manipulate the brakes from 12 miles away.

“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars. We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected,” they noted.

“The issue demonstrated is only triggered when the web browser is used (web browser functionality not enabled in Australia). Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly,” a Tesla spokesperson told ZDNet.

The software update fixing the flaws has already been deployed over-the-air, so details about them should soon be revealed.